-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 MIT krb5 Security Advisory 2007-001 Original release: 2007-04-03 Last update: 2007-04-03 Topic: telnetd allows login as arbitrary user Severity: CRITICAL CVE: CVE-2007-0956 CERT: VU#220816 SUMMARY ======= The MIT krb5 telnet daemon (telnetd) allows unauthorized login as an arbitrary user, when presented with a specially crafted username. Exploitation of this vulnerability is trivial. This is a vulnerability in an application program; it is not a bug in the MIT krb5 libraries or in the Kerberos protocol. IMPACT ====== A user can gain unauthorized access to any account (including root) on a host running telnetd. Whether the attacker needs to authenticate depends on the configuration of telnetd on that host. AFFECTED SOFTWARE ================= * telnetd in all releases of MIT krb5, up to and including krb5-1.6 FIXES ===== * The upcoming krb5-1.6.1 release will contain a fix for this vulnerability. Prior to that release you may: * disable telnetd or * apply the patch This patch is also available at http://web.mit.edu/kerberos/advisories/2007-001-patch.txt A PGP-signed patch is available at http://web.mit.edu/kerberos/advisories/2007-001-patch.txt.asc *** src/appl/telnet/telnetd/state.c (revision 19480) - --- src/appl/telnet/telnetd/state.c (local) *************** *** 1665,1671 **** strcmp(varp, "RESOLV_HOST_CONF") && /* linux */ strcmp(varp, "NLSPATH") && /* locale stuff */ strncmp(varp, "LC_", strlen("LC_")) && /* locale stuff */ ! strcmp(varp, "IFS")) { return 1; } else { syslog(LOG_INFO, "Rejected the attempt to modify the environment variable \"%s\"", varp); - --- 1665,1672 ---- strcmp(varp, "RESOLV_HOST_CONF") && /* linux */ strcmp(varp, "NLSPATH") && /* locale stuff */ strncmp(varp, "LC_", strlen("LC_")) && /* locale stuff */ ! strcmp(varp, "IFS") && ! !strchr(varp, '-')) { return 1; } else { syslog(LOG_INFO, "Rejected the attempt to modify the environment variable \"%s\"", varp); *** src/appl/telnet/telnetd/sys_term.c (revision 19480) - --- src/appl/telnet/telnetd/sys_term.c (local) *************** *** 1287,1292 **** - --- 1287,1302 ---- #endif #if defined (AUTHENTICATION) if (auth_level >= 0 && autologin == AUTH_VALID) { + if (name[0] == '-') { + /* Authenticated and authorized to log in to an + account starting with '-'? Even if that + unlikely case comes to pass, the current login + program will not parse the resulting command + line properly. */ + syslog(LOG_ERR, "user name cannot start with '-'"); + fatal(net, "user name cannot start with '-'"); + exit(1); + } # if !defined(NO_LOGIN_F) #if defined(LOGIN_CAP_F) argv = addarg(argv, "-F"); *************** *** 1377,1387 **** } else #endif if (getenv("USER")) { ! argv = addarg(argv, getenv("USER")); #if defined(LOGIN_ARGS) && defined(NO_LOGIN_P) { register char **cpp; for (cpp = environ; *cpp; cpp++) argv = addarg(argv, *cpp); } #endif - --- 1387,1405 ---- } else #endif if (getenv("USER")) { ! char *user = getenv("USER"); ! if (user[0] == '-') { ! /* "telnet -l-x ..." */ ! syslog(LOG_ERR, "user name cannot start with '-'"); ! fatal(net, "user name cannot start with '-'"); ! exit(1); ! } ! argv = addarg(argv, user); #if defined(LOGIN_ARGS) && defined(NO_LOGIN_P) { register char **cpp; for (cpp = environ; *cpp; cpp++) + if ((*cpp)[0] != '-') argv = addarg(argv, *cpp); } #endif REFERENCES ========== This announcement is posted at: http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2007-001-telnetd.txt This announcement and related security advisories may be found on the MIT Kerberos security advisory page at: http://web.mit.edu/kerberos/advisories/index.html The main MIT Kerberos web page is at: http://web.mit.edu/kerberos/index.html CVE: CVE-2007-0956 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0956 CERT: VU#220816 http://www.kb.cert.org/vuls/id/220816 ACKNOWLEDGMENTS =============== This vulnerability was found when attempting to confirm the absence of a related vulnerability in the Solaris telnetd. [CVE-2007-0882] DETAILS ======= The MIT krb5 telnet daemon fails to adequately check the provided username. A malformed username beginning with "-e" can be interpreted as a command-line flag by the login.krb5 program, which is executed by telnetd. This causes login.krb5 to execute part of the BSD rlogin protocol, where an arbitrary username may be injected, allowing login as that user without a password or any further authentication. If the telnet daemon is configured to only permit authenticated login, then only authenticated users can exploit this vulnerability. REVISION HISTORY ================ 2007-04-03 original release Copyright (C) 2007 Massachusetts Institute of Technology -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (SunOS) iQCVAwUBRhKVRabDgE/zdoE9AQIzPAQAj8a7ShfHXVVMOPQhEyoN/Ydnalnfa2xE cl7UXFSjmkexalD+rymL0upLFw7EVgnYrVazc+AUhDLt1AZmCl5Lj2+WAcl1QYPu fEGm2SFaS4Eda6NRb6xZ4BeY8zfRWFN2G8Bb5krpGj+oEX/c3Xg8O4oUyiJBYBQi TXhryamn6Yw= =aE5C -----END PGP SIGNATURE-----